[Snort-sigs] SID: 8440
nigel at ...435...
Mon Apr 23 18:48:07 EDT 2007
On 0, Paul Schmehl <pauls at ...1311...> wrote:
> --On Monday, April 23, 2007 17:25:39 -0400 Nigel Houghton
> <nigel at ...435...> wrote:
> >On 0, Paul Schmehl <pauls at ...1311...> wrote:
> >>Can someone help me understand what this rule is looking for?
> >>alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv2 openssl
> >>get shared ciphers overflow attempt"; flow:to_server,established;
> >>flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|";
> >>depth:2; offset:2; byte_test:2, >, 256, 1, relative;
> >>reference:bugtraq,20249; reference:cve,2006-3738;
> >>classtype:attempted-admin; sid:8440; rev:2; )
> >>Here's the relevant bits of the payload:
> >>17 03 01 03 00 BE D6 67 8E B4 DA 4F A9 9A 93 9D
> >>18 A8 39 65 B8 6F 33 A8 7C E0 42 B7 E4 E0 66 2F
> >>As I understand it, the packet must have |01 03| at a depth of 2 bytes.
> >>Then, at an offset of two bytes from that a byte_test of the next 2
> >>bytes should not exceed 256. So that would mean that D6+67 is greater
> >>than 256?
> >The rule is looking for a content of 01 03 at an offset of 2 bytes from
> >the start of the packet data with a depth of 2 bytes (01 03 is two
> >bytes). Then it looks at the two bytes following at a distance of 1 byte
> >from the previous content match to see if the value is greater than 256,
> >if it is then alert because it may be an attempt to overflow a buffer by
> >sending too much data.
> OK, I muffed that horribly. :-(
> At an offset of two bytes, for a depth of two bytes, the content should be
> |01 03|, right?
> Now where the heck is the byte_test? The next two bytes? In that case it
> would be |00 BE|, which is not >256, so that can't be right.
No, the byte_test has the form
byte_test:<how many bytes>,<operator>,<size>,<offset>,<optional modifiers>;
So, in this case, check for the content match then byte_test:2,>,256,1,relative
says get two bytes, see if they are bigger than 256 and start 1 byte from the
end of the previous content match (note the relative modifier). Which means,
that you are looking at "BE D6" which is indeed much larger than 256.
> I appreciate you pointing to the RFC, but as I said, I don't read geek.
> Where can I find something that says something like this:
> The first two byes define the version of ssl being used: here are the
> possibilities. The next two bytes define X, and here are the possible
> values. Etc., etc., etc.
> Someone needs to translate the RFCs into English.
Yeah, that would be a good thing :)
I think that the Netscape specs I pointed to are however, very good and
explain SSL communications very well indeed.
More information about the Snort-sigs